Access request completed for entitlement on delimited file source, but no account or access was assigned

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I am submitting an access request in SailPoint ISC to grant an entitlement from a Delimited file source using the access-request API: create-access-request | SailPoint Developer Community

ISC API call succeeded | method=POST path=/access-requests status=202

Request Sample:

{
  "requestType": "GRANT_ACCESS",
  "requestedForWithRequestedItems": [
    {
      "identityId": "12a8a56944974c218d16b3da56233673",
      "requestedItems": [
        {
          "id": "14c3b4d4ce7d39299a2025e644b43843",
          "type": "ENTITLEMENT",
          "comment": "Granting entitlement 14c3b4d4ce7d39299a2025e644b43843"
        }
      ]
    }
  ],
  "clientMetadata": {
    "requestSource": "Access request"
  }
}

The request eventually shows as completed. The process history includes:

  • Request submitted
  • Separation of Duties Check
  • Approved by manager
  • Automatically reassigned from to
  • Manual task completed by
  • Provisioning
  • Request completed

However, after completion, the access is not actually visible on the identity:

  • No account is created for the user on the delimited file source. [New User]
  • The entitlement does not appear under My Access > Entitlements.
  • Searching the delimited source accounts does not show an account for the requested identity.
  • Only accounts that were previously aggregated from the file are present in the delimited source.

Question:

  • Can ISC create or update accounts for a delimited file source through an access request?
  • What is the recommended approach for JIT access requests when the entitlement belongs to a delimited file source?
2

Hi @shsakshi ,

CSV file need to be updated (by approver) before completing manual task.

So, after next aggregation, account Identity and account is updated in ISC.

3

Hi @shsakshi

This is currently a limitation of the delimited file source, as end-to-end provisioning is not available by default.

Once a request is submitted and approved, a manual task is created and assigned to the source owner. Prior to fulfillment, the owner must manually construct a CSV file and import the account information. Otherwise, if the task is simply completed, nothing happens (no account creation, no addition or removal of entitlements).

In many IGA tools, completing such manual tasks updates the information internally.

This limitation is already mentioned in this idea : Disconnected Application - Onboarding and | SailPoint Ideas Portal and is currently in discovery.

Workaround

  • Many customers generally use Service Desk Integrations with an ITSM tool. In this setup, any access request related to delimited file sources creates a ticket, and once the ticket is completed, ISC automatically updates the corresponding CSV-based source information.
  • You can also explore several alternative approaches:
    • With the Account API, you can create or update an account on a delimited file source Accounts | SailPoint Developer Community
    • For example, you could use a script or workflow to periodically check all completed access requests and then use the Account API to update the information accordingly.
    • Or you can use a workflow triggered by an access request submission and build logic to populate the required information using the Account API. You can also assign a form to the owner to confirm the action before execution.
    • Note: We have already tested this, and unfortunately the “Provisioning Completed” trigger is not fired when a source owner fulfills the task. Therefore, it cannot be used in this scenario.